Detecting malicious software using sensors

ABSTRACT

In some implementations, a method includes retrieving data from multiple sensors in a computing device, and the multiple sensors comprise different types of sensors. The sensor data is analyzed based on a predictive model, and the predictive model is trained to detect malware. Initiation of malware is determined based on the analysis. In response to the determination, the malware is terminated.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of U.S. patent application Ser. No.15/812,663, filed Nov. 14, 2017, which is incorporated herein byreference in its entirety.

BACKGROUND

Effective defense against a ransomware attack is typically amulti-tiered or layered approach. Detection of the malware whendownloading to the victim computer is an outer defense, and if possible,can prevent the ransomware from ever entering the system. This defenseattempts to prevent an attack vector from penetrating a victims hostcomputer. Packet signature monitoring via an intrusion detection system(IDS) or file signature monitoring via a local antivirus softwareprogram can provide this capability, but only if these methods arecapable of recognizing the malware through knowledge of the datasignatures. While this defense is a desirable, it is notoriouslydifficult to prevent infection with previously unknown ransomwareversions, or so-called zero-day attacks.

In the case of zero-day ransomware, data signatures and othercorresponding characteristics are unknown by definition. Furthermore,the increasing presence of polymorphic malware is causingsignature-based approaches to become less effective than they once were.

SUMMARY

In some implementations, a method includes retrieving data from multiplesensors in a computing device, and the multiple sensors comprisedifferent types of sensors. The sensor data is analyzed based on apredictive model, and the predictive model is trained to detect malware.Initiation of malware is determined based on the analysis. In responseto the determination, the malware is terminated.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the invention will be apparent from thedescription and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is an example computing device including sensors for detectingransomware.

FIG. 2 is an example confusion matrix representing machine state versusransomware detection model prediction for a Window machine.

FIG. 3A is a plot of encryption activity versus time for a Windowmachine.

FIG. 3B is a plot of ransomware detection model prediction versus timefor a Window machine.

FIG. 4 is a confusion matrix representing actual machine state versusransomware detection model prediction for an Apple machine.

FIG. 5A is a plot of encryption activity versus time for an Applemachine.

FIG. 5B is a plot of ransomware detection model prediction versus timefor an Apple machine.

FIG. 6 is a flowchart illustrating an example method for detectingransomware.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

The present disclosure is directed to a system and method for detectingransomware in an infected host (e.g., computer, mobile device) duringthe initiation of its payload execution. In these instances, datastreams from on-board sensors in the host can be monitored andransomware infections can be detecting using these data streams andpredefined criteria. In this sense, a physical side channel can be usedwhere the victim's files are not directly monitored. The behavior of thevictim machine is monitored and onboard sensor-provided data is used asside-channel information that can indicate when an encryption operationis occurring. In other words, encryption detection depends upon the useof small yet distinguishable changes in the physical state of a systemas reported through onboard sensor-provided data. In someimplementations, monitoring can be accomplished through a backgroundprocess that is loaded at boot time and thus continuously monitors thesystem for suspicious behavior. Once this suspicious behavior isdetected, the user can be alerted and the suspicious processes can besuspended. The central difference between this approach and otherprevious approaches is that this approach uses secondary effects todetect the presence of malware rather than a direct effect, such asmeasuring increases in file entropy.

In some implementations, a feature vector can be formulated consistingof various sensor outputs that is coupled with a detection criterion forthe binary states of ransomware present versus normal operation. In thisinstances, previously unknown or zero-day versions of ransomware arevulnerable since no a priori knowledge of the malware, such as a datasignature, is required. Experimental results from a system whichunderwent testing with 16 different test configurations comprised ofdifferent simulated system loads unknown to the model and different AESencryption methods used during a simulated ransomware attack showed anaverage true positive prediction rate of 98.82% and an average falsepositive prediction rate of 1.57% for predictions made once every secondabout the state of the system under test.

FIG. 1 illustrates an example computing device 100 for detecting ransomwhere in accordance with one or more implementations of the presentdisclosure. In some implementations, the computing device 100 usessensor data to detect initiation of encryption of data. In theillustrated, the computing device 100 includes a sensor-monitoringmodule 102 communicably coupled to sensors 104 a-e to detect operatingconditions of the device 100. As illustrated, the sensors 104 a-einclude a current sensor 104 a, a temperature sensor 104 b, RPM sensor104 c, a voltage sensor 104 d, and a power sensor 104 e. The computingdevice 100 may include the same, some, or different sensors to detectmalware (e.g., ransomware) without departing from the scope of thedisclosure.

In general, the computing device 100 includes sensors 104 a-e to monitorthe state of internal hardware components. These sensors 104 a-e can, insome implementations, continuously or periodically gather and supplysensor data that is communicated with other devices and subsystems tosubstantially maintain the device 100 within specific operatingspecifications. If sensor data reveals that a device component isapproaching a boundary for a recommended value of an operationalspecification, safety mechanisms can be engaged to correct the internalenvironment and prevent or otherwise reduce malfunctions. For example,when the data from the temperature sensor 104 b of, for example, acomputer's central processing unit (CPU) begins to increase, a signalcan be sent to the CPU cooling fan. This signal causes the fan to eitherbecome active or to increase the fan speed in order to cool the CPU.Additionally, the sensors 104 a-e can provide input to other subsystemssuch as internal power management units, PMUs, to conserve power usage.

Typically, computing-device components are frequently designed to becompact in size through the use of transistors with feature sizing oftenin the nanometer scale. As a direct result, whenever computations becomemore complex, more stress in placed on the components. This increasedstress occurs because a large number of transistors are frequentlyswitching in a circuit that correspondingly cause an increase in dynamicpower consumption and, in turn, more heat dissipation especially duringheavy computational activity. Thus, monitoring the side channels of thecomputing device 100 with the embedded sensors 104 a-e that measureoperating conditions such as temperature, power consumption, and batteryvoltage levels can indicate the type of processing that is underway on acomputer at a given time. As a result, monitoring a computer's sidechannels through periodic observations of sensor output data can, insome implementations, indicate when a resource-heavy task, such asencryption, is occurring. Since ransomware utilizes encryption in itspayload to deny its victims access to their files, trends to emerge inregard to how a computer behaves while under ransomware attack based onanalyzing data from a computer's side channel sensor data.

Conventional computers are comprised of the same set of basic internaldevices to enable their operation. However, manufacturers may choose touse different and/or unique sets of components for their variouscomputer models. Due to this variation among different product models,corresponding differences among the readings of the internal onboardsensors can occur when they are queried. In the illustratedimplementation, the sensor-monitoring module 102 can include anysoftware, hardware, and/or firmware configured to access sensor data(e.g., main memory power usage). For example, the sensor-monitoringmodule 102 can be accessed sensor data via the command line and/orthrough calls to the operating system and interpret the onboard sensordata. During experimentation, the Hardware Monitor and the Open HardwareMonitor applications were used to provide information from systemsrunning Apple's OSX® and Microsoft's Windows® operating systems. As anexample of large number of available on-board sensors, a list of the 59sensors and their readings from an Apple Macbook® is provided below inTable 1.

TABLE 1 APPLE MACBOOK INTERNAL SENSORS AND READINGS Apple Macbook SenserValue SMART Disk APPLE SSD SD0128F 136.4 F. (135251405113)[TEMPERATURE]: SMC AIR INLET [TEMPERATURE]: 102.2 F. SMC BATTERY[TEMPERATURE]: 87.8 F. SMC BATTERY CHARGER PROXIMITY 111.2 F.[TEMPERATURE]: SMC BATTERY POSITION 2 [TEMPERATURE]: 87.8 F. SMC BATTERYPOSITION 3 [TEMPERATURE]: 87.8 F. SMC CAMERA PROXIMITY [TEMPERATURE]:113 F. SMC CHARGER PROXIMITY TEMPERATURE 100.4 F. [TEMPERATURE]: SMC CPUA PROXIMITY [TEMPERATURE]: 120.2 F. SMC LEFT PALM REST [TEMPERATURE]:87.8 F. SMC MAIN HEAT SINK 2 [TEMPERATURE]: 93.2 F. SMC MAIN LOGIC BOARD[TEMPERATURE]: 96.8 F. SMC PLATFORM CONTROLLER HUB CHIP 129.2 F.TEMPERATURE [TEMPERATURE]: SMC SSD BAY [TEMPERATURE]: 98.6 F. SMC SSDTEMPERATURE A [TEMPERATURE]: 138.2 F. SMC SSD TEMPERATURE B[TEMPERATURE]: 120.2 F. SMC WLAN CARD [TEMPERATURE]: 98.6 F. SmartBattery bq20z451 (1) [TEMPERATURE]: 82.4 F. Battery 1 Cell 1 [VOLTAGE]:3.69299 V Battery 1 Cell 2 [VOLTAGE]: 3.69398 V Battery 1 Voltage[VOLTAGE]: 7.38699 V SMC CPU CORE [VOLTAGE]: 166211 V SMC CPU SUPPLY 1[VOLTAGE]: 1.05176 V SMC DC INPUT [VOLTAGE]: 0 V SMC POWERSUPPLY/BATTERY [VOLTAGE]: 7.16016 V SMC SSD SUPPLY [VOLTAGE]: 3.29883 VSMC WLAN CARD [VOLTAGE]: 3.29883 V Battery 1 Current [CURRENT]: 1.45599A SMC 5 V S0 LINE [CURRENT]: 0.0498047 A SMC BACKLIGHT [CURRENT]:0.00292969 A SMC MAIN HEAT SINK 2 [TEMPERATURE]: 93.2 F. SMC MAIN LOGICBOARD [TEMPERATURE]: 96.8 F. SMC PLATFORM CONTROLLER HUB CHIP 129.2 F.TEMPERATURE [TEMPERATURE]: SMC SSD BAY [TEMPERATURE]: 98.6 F. SMC SSDTEMPERATURE A [TEMPERATURE]: 138.2 F. SMC SSD TEMPERATURE B[TEMPERATURE]: 120.2 F. SMC WLAN CARD [TEMPERATURE]: 98.6 F. SmartBattery bq20z451 (1) [TEMPERATURE]: 82.4 F. Battery 1 Cell 1 [VOLTAGE]:3.69299 V Battery 1 Cell 2 [VOLTAGE]: 3.69398 V Battery 1 Voltage[VOLTAGE]: 7.38699 V SMC CPU CORE [VOLTAGE]: 1.66211 V SMC CPU SUPPLY 1[VOLTAGE]: 1.05176 V SMC DC INPUT [VOLTAGE]: 0 V SMC POWERSUPPLY/BATTERY [VOLTAGE]: 7.16016 V SMC SSD SUPPLY [VOLTAGE]: 3.29883 VSMC WLAN CARD [VOLTAGE]: 3.29883 V Battery 1 Current [CURRENT]: 1.45599A SMC 5 V S0 LINE [CURRENT]: 0.0498047 A SMC BACKLIGHT [CURRENT]:0.00292969 A SMC BATTERY CURRENT [CURRENT]: 0.78125 A SMC CPU CORE[CURRENT]: 0.566406 A SMC CPU HIGH SIDE [CURRENT]: 0.241211 A SMC CPUSUPPLY 1 [CURRENT]: 0.0107422 A SMC CPU/VRM SUPPLY 2 [CURRENT]: 0 A SMCDC INPUT [CURRENT]: 0.00195312 A SMC DDR3 MEMORY 1.35 V LINE [CURRENT]:0.881836 A SMC DDR3 MEMORY S3 LINE [CURRENT]: 0.0771484 A SMC DISCRETEBATTERY [CURRENT]: 0.738281 A SMC LCD PANEL [CURRENT]: 0.000976562 A SMCPOWER SUPPLY/BATTERY [CURRENT]: 0.770508 A SMC SSD SUPPLY [CURRENT]:0.0771484 A SMC WLAN CARD [CURRENT]: 0.0107422 A SMC 5 V S0 LINE[POWER]: 0.164062 W SMC BACKLIGHT [POWER]: 0.015625 W SMC CPU CORE[POWER]: 0.964844 W SMC CPU HIGH SIDE [POWER]: 1.72266 W SMC CPU SUPPLY1 [POWER]: 0.0078125 W SMC CPU/VRM SUPPLY 2 [POWER]: 0 W SMC DDR3 MEMORY1.35 V LINE [POWER]: 1.05469 W SMC DDR3 MEMORY S3 LINE [POWER]:0.0898438 W SMC LCD PANEL [POWER]: 0 W SMC POWER SUPPLY/BATTERY [POWER]:5.51172 W SMC SSD SUPPLY [POWER]: 0.25 W SMC WLAN CARD [POWER]:0.0351562 W Battery 1 Current Capacity [CAPACITY]: 503 mAh Battery 1Total Capacity [CAPACITY]: 6559 mAh SMC FAN Exhaust [RPMS]: 1192 RPM SMCAMBIENT LIGHT 1 [LIGHT]: 70

In some implementations, the sensor-monitoring module 102 can determineprediction models using Machine Learning (ML) techniques. In theseinstances, the sensor-monitoring module 102 trains models using a largeamount of data gathered and processed from an experimental environment.The sensor-monitoring module 102 can use the sensor data, such as thatprovided in Table 1, to form a feature vector that differentiatesbetween the binary machine states of “normal operation” versus“ransomware payload execution” (i.e., unauthorized encryption activity).Instead of relying one type of sensor data, the feature vector cancombine multiple types of sensor data. In response to the sensor-datafeature vector indicating a specific state of encryption, thesensor-monitoring module 102 can issue alerts and suspend thecorresponding encryption processes.

In some instances, the sensor-monitoring module 102 can use a simplelogistic regression approach as the ML classification algorithm todiscriminate between the binary states of “normal operation” versus“ransomware payload execution.” Other alternative classificationalgorithms can be used without departing from the scope of thedisclosure. In addition, the feature vector may be refined usingtechniques such as Principal Component Analysis (PCA), LinearDiscriminant Analysis (LDA), and others. In some implementations, thesensor-monitoring module 102 can train the prediction models usingdifferent methods of encryption such as Electronic Code Book,Cipher-Block Chaining, Cipher FeedBack, XOR encryption, and others.

In some aspects of operations, the sensor-monitoring module 102 receivesa training set of hardware sensor data. The hardware sensor data caninclude data when how the sensors behave on the host computer undernormal operating conditions as well data when a covert encryptionprocess is executed. After the sensor training data has been retrieved,the sensor-monitoring module 102 can perform logistic regression to fitthe model to the training data. Due to the slight variation between thecomponents of each computer, the resulting ransomware detection modelmay be different for different devices. Once determined, thesensor-monitoring module 102 can use the model to classify the state ofthe computing device 100 whenever the hardware sensors are routinelypolled. If the model predicts that a suspicious encryption process isexecuting, the sensor-monitoring module 102 can notify the user andsuspend or terminate the suspicious process. In some implementations,the detection algorithm can run as a background process to allow normalusage of the system. A pseudocode version of the detection algorithm isprovided below.

-   -   // load model from binary file    -   model=load(‘./model.pkl’)    -   attack_count=0    -   previous_prediction=0    -   under_attack=False    -   // check sensor data and make prediction    -   while True        -   data=monitor.read_sensors( )        -   prediction=model.predict(data)        -   // determine action based on current and        -   // previous data        -   if prediction:            -   attack_count+=1        -   else            -   if previous_prediction==0:                -   attack_count=0                -   under_attack=False            -   previous_prediction=data            -   // set condition to under attack if positive            -   predictions            -   // increase above threshold            -   if attack_count>threshold:                -   under_attack=True

FIGS. 2-5 illustrate example results for testing conducted on twodifferent computing devices. Testing was conducted on two computingdevices, one running Apple OSX® and the other running MicrosoftWindows®. Specifically, the Apple OSX machine was a Macbook Air with a1.3 GHz Intel® i5 processor and 4 GB of main memory and the Windows®machine was an Intel® i7 processor with 32 GB of main memory.

Training data was collected on both computing devices and the data wasused to generate a prediction model for each computing device. The newencryption detection method was tested utilizing a ransomware simulationtesting script written in Python. The size of the directory and themethod of encryption were selected by randomly picking a number between1 and 100. All values of 60 and below caused encryption of the smalldirectory, all values from 61 to 90 encrypted the medium directory, andall values from 91 to 100 encrypted the large directory. The particularencryption method used was randomly selected among the four types weimplemented in our experiments.

After a particular directory has been encrypted, the script waits arandom amount of time before performing additional encryption. Theamount of time it waits is proportional to the size of the directory itpreviously encrypted. After encrypting a small directory, a randomamount of time between 1 and 60 seconds is selected, a time between 5and 10 minutes is selected for the medium directory, and a time between15 and 30 minutes is selected for the large directory. The script alsorandomly selects a value between 5 and 15 and waits for an hour and ahalf after encrypting that many gigabytes of data. Randomness and waittimes are utilized in order to simulate the attempts made by anadversary to avoid detection of ransomware payload execution. During theencryption process, the script searches for files by recursivelystarting from a given path. Files that have extensions matching a listof common user file types are read and their data is encrypted. Afterencryption the data is copied over the existing data in the originalfile. After testing the Windows® machine for 5 hours 94.2% of sensorpolls were accurately predicted as either “under attack” or “no attack”.The confusion matrix in FIG. 2 shows the relationship between thepredictions made by the model and the actual state of the computingdevice. During the periods the script was performing encryption 98.1% ofpolling predictions correctly identified a state of under attack. Duringthe periods, the script was not performing encryption 92.5% of pollingpredictions correctly identified a state of no attack.

1.9% of the checks that occurred during periods of encryptionincorrectly predicted that there was no attack (i.e., a false negativeerror) while 7.5% of periods with no encryption incorrectly predictedthat there was an attack (i.e., a false positive error). Theclassification method was tuned in a conservative fashion to focus moreupon the reduction of false negative errors than the case of falsepositives as the former error type is assumed to be more critical thanthe latter.

The overall accuracy of the encryption detection method is illustratedin FIG. 3 . The uppermost graph, (a), of the figure represents theactual periods of encryption or “truth data” while the plot on thebottom, (b), represents the actual predicted periods of encryption.These graphs depict the machine state on the vertical axis with zeroindicating normal operation and one indicating under attack. Thehorizontal axes depict time. The Apple computing device was tested byonly encrypting the large directory after a random wait period between30 and 60 minutes over a 6-hour period. This method gives a clearindication of how well the new detection method can detect periods ofhigh volume encryption. The confusion matrix in FIG. 4 shows therelationship between the predictions made by the model and the actualstate of the computing device.

After testing the Apple machine, 98.2% of the sensor polls resulted inaccurate predictions. During the periods the script was actuallyperforming an encryption operation, 99.7% of the polling predictionscorrectly identified a state of “under attack.” During the periods thescript was not performing encryption, 97.7% of polling predictionscorrectly identified a state of “no attack.” A false negative rate of0.27% of the checks that occurred during periods of encryptionincorrectly predicted that there was no attack while a false positiveerror rate of 2.3% of observations with no encryption incorrectlypredicted that there was an attack. FIG. 5 shows the periods of actualencryption in the uppermost portion, (a), and periods of predictedencryption in the lower portion, (b). As in FIG. 3 , the vertical axesdepict machine state and the horizontal axes depict time.

Upon further analysis of the results, most periods of false positivepredictions occurred directly after a correct attack prediction. Thiscan be observed in FIG. 5 which contains false positive periods afterthe second and fourth encryption periods. Implementing additionaltesting and filtering techniques that more closely scrutinizepredictions being made for a short period directly following a positiveprediction period can result in increased overall accuracy. In someimplementations, temporal or history data regarding past recentpredictions may be included in the analysis.

Legitimate encryption can be accounted using white-listing or othermethods that notify the detection process that legitimate encryptionoperations are in process. For example, system registry data can be usedto label processes that employ legitimate encryption and the ransomwaredetection process can be augmented to verify if a detection is theresult of a legitimate process or not before a state of “ransomwarepayload execution” is declared.

In some implementations, experimental ransomware detection algorithm canuse a simple polling or sampling method wherein the operational phase ofthe detection method would periodically query the sensors to obtainreadings. This approach suffers from potential aliasing problems,particularly if the malware payload were to be implemented in shortbursts or use some other form of intelligence about the state of thevictim system before encryption is executed. In some implementations,the schedule sensor queries can be an event-based technique. In theseinstances, error rates can be reduced while also reducing the averagecomputational overhead since ransomware payload execution is arelatively rare event.

The method can be applicable to both previously known as well aszero-day instances of ransomware that employ encryption in the payload.The detection method results in very low, if any, data loss sinceencryption detection can occur very early in the timespan of themalicious encryption activity. For example, the data loss may be lessthan 5%, 1%, or 0.1%. The method is based upon monitoring on-board,hardware sensor data streams rather than characteristics of the targeteddata. The new technique may not include modification to hosting computersystems because most computing devices include pre-existing physicalsensors, supporting circuitry, and access to the sensor readings.

FIG. 6 is a flow diagram illustrating an example method 600 of analyzinga partial software program, according to an implementation. For clarityof presentation, the description that follows generally describes method600 in the context of the other figures in this description. However, itwill be understood that method 600 may be performed, for example, by anysuitable system, environment, software, and hardware, or a combinationof systems, environments, software, and hardware, as appropriate. Forexample, method 200 can be performed by the example computing system 100illustrated in FIG. 1 . In some implementations, various steps of method600 can be run in parallel, in combination, in loops, or in any order.

The method 600 begins at step 602 where sensor data is collected duringnormal operations. For example, the sensor-monitoring module 102 canretrieve sensor data during normal operations. Ransomware encryption issimulated at step 604, and the sensor data is retrieved during thatsimulation at step 606. Next, at step 608, a predictive model is trainedusing both data sets. Once trained, sensor data of the computing deviceis monitored, at step 610, using the trained predictive model and sensordata to detect ransomware encryption. At step 612, initiation ofransomware encryption is detected using the trained predictive model andsensor data. At step 614, the encryption is at least suspended.

A number of embodiments of the invention have been described.Nevertheless, it will be understood that various modifications may bemade without departing from the spirit and scope of the invention.Accordingly, other embodiments are within the scope of the followingclaims.

What is claimed is:
 1. A non-transitory computer readable medium storinginstructions to cause a processor of a computing device to performoperations comprising: a) simulating execution of a malware in thecomputing device; b) while the simulation of malware is executed by thecomputing device, obtaining sensor data from multiple sensors in thecomputing device, wherein the multiple sensors comprise different typesof sensors to monitor an operating condition of internal hardwarecomponents of the computing device, the multiple sensors residing in aside channel separate from the processor of the computing device, andthe obtained sensor data reflective of the operating condition of theinternal hardware components while the simulation of malware is executedby the computing device, wherein the obtained sensor data obtained whilethe simulation of malware is executed by the computing device isdifferent from sensor data obtained while the computing device is notexecuting the simulation of malware; c) training a predictive model todetect malware using the obtained sensor data to detect execution of amalware target process by the computing device; d) after training thepredictive model, obtaining sensor data from multiple sensors in thecomputing device during a normal operation of the computing device; e)analyzing the obtained sensor data retrieved during the normal operationbased on the predictive model; f) determining execution of malware inresponse to analyzing the obtained sensor data retrieved during thenormal operation based on the predictive model; and g) in response tothe determination, terminating the malware.
 2. The non-transitorycomputer readable medium of claim 1, wherein the operations do notcomprise behavioral analysis to determine the execution of malware. 3.The non-transitory computer readable medium of claim 1, wherein theoperations do not comprise behavioral analysis to determine theexecution of the malicious target process.
 4. The non-transitorycomputer readable medium of claim 1, wherein the malware comprisesransomware, data stealing malware, spyware, adware, a trojan, a worm, arootkit, a keylogger, a screen scraper, a bot, or a combination thereof.5. The non-transitory computer readable medium of claim 1, wherein thepredictive model comprises a feature vector determined using machinelearning.
 6. The non-transitory computer readable medium of claim 5,wherein the feature vector is determined using a single machine learningmodel.
 7. The non-transitory computer readable medium of claim 5,wherein the feature vector is determined using a collection of machinelearning models.
 8. The non-transitory computer readable medium of claim1, wherein the multiple sensors comprise a sensor for at least one of amain memory power, voltage, current, or temperature.
 9. Thenon-transitory computer readable medium of claim 1, wherein thedetermination comprises a binary prediction.
 10. The non-transitorycomputer readable medium of claim 1, wherein the malicious targetprocess comprises a file input/output (PO) process.
 11. Thenon-transitory computer readable medium of claim 1, wherein themalicious target process comprises a network input/output (I/O) process.12. The non-transitory computer readable medium of claim 1, wherein themalicious target process comprises a virtualization process.
 13. Thenon-transitory computer readable medium of claim 1, wherein themalicious target process comprises data exfiltration.
 14. A methodcomprising: a) simulating execution of a malware in a computing device;b) while the simulation of malware is executed by the computing device,obtaining sensor data from multiple sensors in the computing device,wherein the multiple sensors comprise different types of sensors tomonitor an operating condition of internal hardware components of thecomputing device, the multiple sensors residing in a side channelseparate from the processor of the computing device, and the obtainedsensor data reflective of the operating condition of the internalhardware components while the simulation of malware is executed by thecomputing device, wherein the obtained sensor data obtained while thesimulation of malware is executed by the computing device is differentfrom sensor data obtained while the computing device is not executingthe simulation of malware; c) training a predictive model to detectmalware using the obtained sensor data to detect execution of amalicious target process by the computing device; d) after training thepredictive model, obtaining sensor data from multiple sensors in thecomputing device during a normal operation of the computing device; e)analyzing the obtained sensor data retrieved during the normal operationbased on the predictive model; f) determining execution of malware inresponse to analyzing the obtained sensor data retrieved during thenormal operation based on the predictive model; and g) in response tothe determination, terminating the malware.
 15. The method of claim 14,wherein the method does not comprise conducting behavioral analysis todetermine the execution of malware.
 16. The method of claim 14, whereinthe method does not comprise conducting behavioral analysis to determinethe execution of the malicious target process.
 17. The method of claim14, wherein the malware comprises ransomware, data stealing malware,spyware, adware, a trojan, a worm, a rootkit, a keylogger, a screenscraper, a bot, or a combination thereof.
 18. The method of claim 14,wherein the predictive model comprises a feature vector determined usingmachine learning.
 19. The method of claim 18, wherein the feature vectoris determined using a single machine learning model.
 20. The method ofclaim 18, wherein the feature vector is determined using a collection ofmachine learning models.
 21. The method of claim 14, wherein themultiple sensors comprise a sensor for at least one of a main memorypower, voltage, current, or temperature.
 22. The method of claim 14,wherein the determination comprises a binary prediction.
 23. The methodof claim 14, wherein the malicious target process comprises a fileinput/output (I/O) process.
 24. The method of claim 14, wherein themalicious target process comprises a network input/output (I/O) process.25. The method of claim 14, wherein the malicious target processcomprises a virtualization process.
 26. The method of claim 14, whereinthe malicious target process comprises data exfiltration.
 27. Anintegrated circuit configured to perform operations comprising: a)simulating execution of a malware in a computing device; b) while thesimulation of malware is executed by the computing device, obtainingsensor data from multiple sensors in the computing device, wherein themultiple sensors comprise different types of sensors to monitor anoperating condition of internal hardware components of the computingdevice, the multiple sensors residing in a side channel separate fromthe processor of the computing device, and the obtained sensor datareflective of the operating condition of the internal hardwarecomponents while the simulation of malware is executed by the computingdevice, wherein the obtained sensor data obtained while the simulationof malware is executed by the computing device is different from sensordata obtained while the computing device is not executing the simulationof malware; c) training a predictive model to detect malware using theobtained sensor data to detect execution of a malware target process bythe computing device; d) after training the predictive model, obtainingsensor data from multiple sensors in the computing device during anormal operation of the computing device; e) analyzing the obtainedsensor data retrieved during the normal operation based on thepredictive model; f) determining execution of malware in response toanalyzing the obtained sensor data retrieved during the normal operationbased on the predictive model; and g) in response to the determination,terminating the malware.
 28. The integrated circuit of claim 27, whereinthe operations do not comprise behavioral analysis to determine theexecution of malware.
 29. The integrated circuit of claim 27, whereinthe operations do not comprise behavioral analysis to determine theexecution of the malicious target process.
 30. The integrated circuit ofclaim 27, wherein the malware comprises ransomware, data stealingmalware, spyware, adware, a trojan, a worm, a rootkit, a keylogger, ascreen scraper, a bot, or a combination thereof.
 31. The integratedcircuit of claim 27, wherein the predictive model comprises a featurevector determined using machine learning.
 32. The integrated circuit ofclaim 31, wherein the feature vector is determined using a singlemachine learning model.
 33. The integrated circuit of claim 31, whereinthe feature vector is determined using a collection of machine learningmodels.
 34. The integrated circuit of claim 27, wherein the multiplesensors comprise a sensor for at least one of a main memory power,voltage, current, or temperature.
 35. The integrated circuit of claim27, wherein the determination comprises a binary prediction.
 36. Theintegrated circuit of claim 27, wherein the malicious target processcomprises a file input/output (I/O) process.
 37. The integrated circuitof claim 27, wherein the malicious target process comprises a networkinput/output (I/O) process.
 38. The integrated circuit of claim 27,wherein the malicious target process comprises a virtualization process.39. The integrated circuit of claim 27, wherein the malicious targetprocess comprises data exfiltration.
 40. A computing device comprisingcircuitry configured to perform operations comprising: a) simulatingexecution of a malware in the computing device; b) while the simulationof malware is executed by the computing device, obtaining sensor datafrom multiple sensors in the computing device, wherein the multiplesensors comprise different types of sensors to monitor an operatingcondition of internal hardware components of the computing device, themultiple sensors residing in a side channel separate from the processorof the computing device, and the obtained sensor data reflective of theoperating condition of the internal hardware components while thesimulation of malware is executed by the computing device, wherein theobtained sensor data obtained while the simulation of malware isexecuted by the computing device is different from sensor data obtainedwhile the computing device is not executing the simulation of malware;c) training a predictive model to detect malware using the obtainedsensor data to detect execution of a malware target process by thecomputing device; d) after training the predictive model, obtainingsensor data from multiple sensors in the computing device during anormal operation of the computing device; e) analyzing the obtainedsensor data retrieved during the normal operation based on thepredictive model; f) determining execution of malware in response toanalyzing the obtained sensor data retrieved during the normal operationbased on the predictive model; and g) in response to the determination,terminating the malware.
 41. The computing device of claim 40, whereinthe operations do not comprise behavioral analysis to determine theexecution of malware.
 42. The computing device of claim 40, wherein theoperations do not comprise behavioral analysis to determine theexecution of the malicious target process.
 43. The computing device ofclaim 40, wherein the malware comprises ransomware, data stealingmalware, spyware, adware, a trojan, a worm, a rootkit, a keylogger, ascreen scraper, a bot, or a combination thereof.
 44. The computingdevice of claim 40, wherein the predictive model comprises a featurevector determined using machine learning.
 45. The computing device ofclaim 44, wherein the feature vector is determined using a singlemachine learning model.
 46. The computing device of claim 44, whereinthe feature vector is determined using a collection of machine learningmodels.
 47. The computing device of claim 40, wherein the multiplesensors comprise a sensor for at least one of a main memory power,voltage, current, or temperature.
 48. The computing device of claim 40,wherein the determination comprises a binary prediction.
 49. Thecomputing device of claim 40, wherein the malicious target processcomprises a file input/output (I/O) process.
 50. The computing device ofclaim 40, wherein the malicious target process comprises a networkinput/output (I/O) process.
 51. The computing device of claim 40,wherein the malicious target process comprises a virtualization process.52. The computing device of claim 40, wherein the malicious targetprocess comprises data exfiltration.